Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP xx30/Haswell+ TXT support, IBB CPU anchored RoT through ACM blobs? #1172

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

tlaurion
Copy link
Collaborator

@tlaurion tlaurion commented Jun 16, 2022

As of today

  • xx30 is known to have TXT enabled correctly through ACM blobs+ sINIT
  • Haswell is not successfully measuring IBB through ACM+SINIT blob even with FIT

OLD:
I stayed up late last nights, reading the amazing blog posts from @3mdeb, more specifically their Fobnail articles, and kept on thinking about limitation of Heads having no RoT anchored in hardware.

Reread coreboot documentation on TXT, specifically ACM and IBB. I gave it a shot a couple of years back, without any success.

Reread the blogs post on Dasharo support of Optiplex and realized that a lot of problems linked to TXTin coreboot on Ivy bridge (xx30) were resolved by 3mdeb (thanks @miczyg1!!!). Followed the rabbit and saw that they were merged end of 2021....

Then the lines

To use the Intel TXT, you will need the BIOS ACM and the SINIT ACM. The latter is available for download from Intel while the former can be obtained by NDA only. In case you have access to both here is a short guide on how to configure coreboot to use Intel TXT.

I decided to give it a shot again. Can the ACM BIOS be downloaded just like ME was on the oath for maximized boards configurations?

Last time I digged into this enough (which lead to the Maximized support with ME neutered), it took a lot of digging to realize that Lenovo was gentle enough to distribute ME themselves from their website!

I digged deeper in the work that @3mdeb did on Optiplex, specifically their fwdeploy work, to realize that it might be highly probable that the ACM BIOS blob shared the same GUID across all Ivy boards.... Ran UEFIExtract on backups, and found the same ACM blob sharing the same GUID!

And then decided to download latest available x230 firmware executable from Lenovo, do the same thing I've done in the past to extract ME.... to realize that Lenovo is distributing the ACM BIOS blob themselves and that like ME, it can be directly downloaded and extracted.

So long story short, blobs/xx30/download_extract_acm.sh in this PR is the beginning of a PoC.
Hopefully, it will take less long then for the Maximized boards to be debugged and understand what was going wrong.

So here attached is the cbmem -c -1 log I took from an x230-hotp-maximized-acm flashed laptop, which complains that no IBB is defined and that TXT policies are missing, so no PCR0 containing IBB measurements.

cbmem_logs.txt

The documentation is so sparse.... I hope the community will help me make blob based hardware RoT possible. With that, we should have PCR0 and bootblock measured, without the need to lock it down from flashrom, considering that locking the platform just before kexec is possible as well.

Help needed!
Todos:

  • txt_bios_policy.bin not present under CBFS (required?)
  • Figure out to have bootblock in IBB (goal of this inclusion if ACM blobs are desired/tolerated)
  • Optional DRTM?!

Thank you to exist @3mdeb!!!!
@miczyg1 @pietrushnic : hints from the logs/link to documentation I missed?


  • Update coreboot target to that it includes coreboot 4.17
  • Addition of blobs/xx30/download_extract_acm.sh
    • Downloads SINIT ACM blob from an archive.org copy of the archive
    • Downloads Latest BIOS from Lenovo and extracts the ACM BIOS from there
  • Add a x230-hotp-maximized-ac board config based on coreboot 4.17
    • coreboot config includes SINIT and ACM blobs
  • CircleCI modifications
    • Add unzip in apt packages requirements
    • Added a step into CircleCI which calls blobs/xx30/download_extract_acm.sh to have blobs
    • Add x230-hotp-maximized-ac builds

@tlaurion tlaurion marked this pull request as draft June 16, 2022 21:50
@tlaurion
Copy link
Collaborator Author

tlaurion commented Jun 16, 2022

There is an issue with https://tls.mbed.org, so builds are failing for the moment.

Resolving tls.mbed.org (tls.mbed.org)... 79.170.91.36 Connecting to tls.mbed.org (tls.mbed.org)|79.170.91.36|:443... failed: No route to host. make: *** [Makefile:505: /root/project/packages/mbedtls-2.4.2-gpl.tgz] Error 1CircleCI received exit code 0

Edit : Will do PR to point to https://github.com/ARMmbed/mbedtls/archive/mbedtls-2.4.2.tar.gz instead, problem still not resolved 7 hours later....

Great resource, repology BTW: https://repology.org/project/mbedtls/information

@tlaurion
Copy link
Collaborator Author

tlaurion commented Jun 17, 2022

Seems like the required tools were not merged inside of coreboot from this discussion

https://www.mail-archive.com/coreboot@coreboot.org/msg55950.html

More specifically:

Where converged security suite by 9elements require the work to be done externally on produced coreboot ROM, cbnt option not being avail and where it is, it doesn't permit do do what is needed here.

The goal here would be to simply have bootblock in IBB at build time...

@tlaurion
Copy link
Collaborator Author

Seems like this is what I have to chew on https://9esec.io/blog/first-open-source-drtm-implementation/

@tlaurion
Copy link
Collaborator Author

Important update:
Broadwell+ can have IBB measured in PCR0.
Sandy/Ivy bridge can have TXT setuped, which basically was just done with this PR as it is.

Will rebase and rename board to be happened with txt instead of ACM.

@miczyg1
Copy link
Contributor

miczyg1 commented Jun 20, 2022

txt_bios_policy.bin not present under CBFS (required?)

Not required. This is optional if one wants to define some custom policies and deny booting an untrusted OS for example. The advantage of adding a policy to CBFS is that you not need to add it from an external storage, i.e. hard drive, like tboot does.

Figure out to have bootblock in IBB (goal of this inclusion if ACM blobs are desired/tolerated)

On Sandy/Ivy there is no concept of TXT IBB yet. And so it is not even measured by the ACM during reset. One of the lines says it: [INFO ] TXT-STS: IBB not measured
Also you can notice: [INFO ] TXT-STS: BIOS is not trusted and S-CRTM Capability rooted in: BIOS which means the platform does not protect the BIOS/IBB with a hardware ROT like BootGuard (hence "not trusted", because not verified before reset vector). S-CRTM capability can be rooted either in BIOS or processor. If rooted in the processor it means the whole chain of trust beginning with ME bootROM through BootGuard and processor bootROM up to the reset vector. When it says BIOS, either the hardware is from pre-BootGuard era or Boot Guard is not provisioned.

A good comparison of logs with Broadwell for example should reveal these differences.

@miczyg1
Copy link
Contributor

miczyg1 commented Jun 20, 2022

One does not need any manifestation unless Boot Guard is enabled or the machine is at least 10th gen Intel Core CPU (which uses CBnT)

@pietrushnic
Copy link

@tlaurion I would like to work on product, associated with Dasharo subscription, that incorporate what is possible from old D-RTM. @miczyg1 what would be the most secure setup assuming no issues with blobs transmission? I wonder what threat models old TXT can mitigate?

@miczyg1
Copy link
Contributor

miczyg1 commented Jun 20, 2022

A quick good read is https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html I think

@pietrushnic
Copy link

@miczyg1 I assume this is related with project charter for TrenchBoot as Qubes OS AEM? Can we link issues your created here?

@miczyg1
Copy link
Contributor

miczyg1 commented Jun 20, 2022

https://docs.dasharo.com/projects/trenchboot-aem/
TrenchBoot/trenchboot-issues#3
TrenchBoot/trenchboot-issues#4

@tlaurion tlaurion force-pushed the txt_x230-hotp-maximized_coreboot_417 branch 2 times, most recently from f3157a0 to 56665b5 Compare August 23, 2022 15:32
@tlaurion
Copy link
Collaborator Author

Rebased on master.
Cleaned the facts under commit.
Have x230-hotp-maximized-acm board report its rom hashes at build time and under hashes.txt for comparison.

@tlaurion tlaurion force-pushed the txt_x230-hotp-maximized_coreboot_417 branch from 56665b5 to c703b05 Compare August 23, 2022 17:18
…can't. Broadwell+ can)

- Update coreboot target to that it includes coreboot 4.17
- Addition of blobs/xx30/download_extract_acm.sh
  - Downloads SINIT ACM blob from an archive.org copy of the archive
  - Downloads Latest BIOS from Lenovo and extracts the ACM BIOS from there
- Add a x230-hotp-maximized-acm board config based on coreboot 4.17
  - coreboot config includes SINIT and ACM blobs
- CircleCI modifications
  - Add unzip in apt packages requirements
  - Added a step into CircleCI which calls blobs/xx30/download_extract_acm.sh to have blobs
  - Add x230-hotp-maximized-ac builds

Todos:
- txt_bios_policy.bin not present under CBFS (Not required up until Intel gen 10 for Bootguard)
- IBB not existing concept, so cannot include bootblock (goal of this inclusion if ACM blobs were desired/tolerated)

This is building block for TXT (DRTM) under Heads.
@tlaurion
Copy link
Collaborator Author

tlaurion commented Feb 4, 2023

To be considered under #1282 where ACM + Sinit blobs can enable RoT in CPU!

@tlaurion
Copy link
Collaborator Author

Discussion happening under https://forum.qubes-os.org/t/trenchboot-anti-evil-maid-for-qubes-os/16559/10

For D-RTM enablement and QubesOS AEM support next steps

tlaurion added a commit to tlaurion/heads that referenced this pull request Feb 17, 2023
- As of now, includes download and extraction scripts under blobs/xx30/download_extract_acm.sh
- Adds x230-hotp-maximized-acm and x230-maximized-acm boards
- Based on top of both linuxboot#1312 and linuxboot#1172 (coreboot 4.19 based)

Next: attempt https://matrix.to/#/!WHWPvnIGPhGGtUFucJ:matrix.org/$qkNCHc4PDARgf_dLGZAVvYUF-eSgE5pLxL4DhgIW6i8?via=matrix.org&via=invisiblethingslab.com&via=matrix.tu-berlin.de
tlaurion added a commit to tlaurion/heads that referenced this pull request Feb 17, 2023
- As of now, includes download and extraction scripts under blobs/xx30/download_extract_acm.sh
- Adds x230-hotp-maximized-acm and x230-maximized-acm boards
- Based on top of both linuxboot#1312 and linuxboot#1172 (coreboot 4.19 based)

Next: attempt https://matrix.to/#/!WHWPvnIGPhGGtUFucJ:matrix.org/$qkNCHc4PDARgf_dLGZAVvYUF-eSgE5pLxL4DhgIW6i8?via=matrix.org&via=invisiblethingslab.com&via=matrix.tu-berlin.de
tlaurion added a commit to tlaurion/heads that referenced this pull request Feb 17, 2023
- As of now, includes download and extraction scripts under blobs/xx30/download_extract_acm.sh
- Adds x230-hotp-maximized-acm and x230-maximized-acm boards
- Based on top of both linuxboot#1312 and linuxboot#1172 (coreboot 4.19 based)

Next: attempt https://matrix.to/#/!WHWPvnIGPhGGtUFucJ:matrix.org/$qkNCHc4PDARgf_dLGZAVvYUF-eSgE5pLxL4DhgIW6i8?via=matrix.org&via=invisiblethingslab.com&via=matrix.tu-berlin.de
@tlaurion
Copy link
Collaborator Author

To investigate and reuse to find ACM blob https://github.com/coreboot/coreboot/blob/master/util/cbfstool/fit.c#L353

@tlaurion
Copy link
Collaborator Author

tlaurion commented Jul 12, 2023

Maybe bad news even on Haswell+ where ACM is supposed to be able to measure IBB through FIT descriptor but apparatly doesn't

IBB measurement happens only with server TXT most likely... There is not much documentation about differences between client TXT and server TXT though

TXT registers say IBB measured, but it didn't seem to be measured? Like, it seems to be server TXT behavior (??), but still not reliably.

Trace of discussions

@tlaurion tlaurion changed the title WIP xx30: TXT support ? WIP xx30/Haswell+ TXT support, IBB CPU anchored RoT through ACM blobs? Jul 19, 2023
@ansiwen
Copy link

ansiwen commented Sep 4, 2023

I gave up on TXT and switched to BtG 1.0 for enabling PCR-0 IBB measurements on the ProDrive Hermes board (C248 chipset, Cannonlake/Coffeelake): https://gist.github.com/ansiwen/255174aa96d6dc34680d95957d9d6fe9

@miczyg1
Copy link
Contributor

miczyg1 commented Sep 5, 2023

Just to clarify the possibilities of TXT measuring the IBB to PCR0, a few things that have to be known:

  1. There are two Intel TXT variants: client and server. Each have a different "feature set" and behavior.
  2. There are ACM and SACM. The difference is that the latter is Startup ACM, which means it is intended to be run at reset vector. The former are to be run by the BIOS code. There is a bit in the ACM header that indicates if it should be run at reset vector or not. (https://cdrdv2.intel.com/v1/dl/getContent/315168 Table 4 bits 6-7 to distinguish server/client TXT, and ACM heard in APPENDIX A ModuleSubType, although the description is misleading because 0 doesn't necessarily mean SINIT ACM, the real BIOS ACM vs SINTI ACM info is described by ChipsetACMType in Table 10 - yeah confusing...)
  3. Client TXT BIOS ACMs are not SACMs, thus the CPU does not run it, despite it is present in FIT. Server TXT ACMs are SACMs and are run at reset vector and those MEASURE IBB.
  4. The ProDrive Hermes board (C248 chipset, Cannonlake/Coffeelake) platform is considered as an entry server board based on client Cannon Lake H chipset, so no server TXT SACMs for it... What is considered a genuine server board then? Probably something between Xeon Scallable Processors (or basically anything that can do two sockets and more). A few codenames that are genuine servers: Purley, Whitley (IceLake-SP), Skylake-SP, CascadeLake, CooperLake, Sapphire Rapids, Emerald Rapids.
  5. Of course, trying to run the Server TXT SACM will fail because of CPU or chipset mismatch.
  6. It May require setting the TXT bit in the ME and running SPS firmware. When the TXT was set, the status bits in CPU TXT registers did change.

We got to these conclusions with @ansiwen when researching the TXT IBB measurement possibilities.

tl;dr

Unless you have a real server board, don't go with TXT to measure IBB, you have to provision BootGuard for it...

EDIT: Of course CBnT supported silicon (i.e IceLake+, CometLake-S +, TigerLake+) is another thing. IIRC no matter if you use BootGuard (with measurement) or TXT, IBB will be measured.

@ansiwen
Copy link

ansiwen commented Sep 5, 2023

Thanks @miczyg1 for the summary!

To be honest, I'm still not convinced that it is not possible to enable TXT on the C246 chipset. I never tried to create the BIOS Policy and TXT Policy entries in the FIT (because a lack of tools) and after my experience with BtG 1.0 I would not be surprised, if the measurement only happens, if these entries exist, are correct, and contain the matching hash for the IBB. The "best" output I could get was this:

TEE-TXT: Initializing TEE...
TXT-STS: ACM verification successful
TXT-STS: IBB measured
TXT-STS: TXT is not disabled
TXT-STS: BIOS is not trusted
CBnT: SACM INFO MSR (0x13A) raw: 0x0000000100000000
CBnT:   NEM status:              0
CBnT:   TPM type:                No TPM
CBnT:   TPM success:             0
CBnT:   FACB:                    0
CBnT:   measured boot:           0
CBnT:   verified boot:           0
CBnT:   revoked:                 0
CBnT:   BtG capable:             1
CBnT:   TXT capable:             0
CBnT: BOOTSTATUS (0xA0) raw: 0x8000000000000000
CBnT:   Bios trusted:            0
CBnT:   TXT disabled by policy:  0
CBnT:   Bootguard startup error: 0
CBnT:   TXT ucode or ACM error:  0
CBnT:   TXT measurement type 7:  1
CBnT: ERRORCODE (0x30) raw: 0x00000000
CBnT: BIOSACM_ERRORCODE (0x328) raw: 0x80008003
CBnT: BIOSACM_ERRORCODE: TXT ucode or ACM error
CBnT:   AC Module Type:          Boot Guard Error
CBnT:   class:                   0x0
CBnT:   major:                   0x0
CBnT:   External:                0x0
TEE-TXT: State of ACM and ucode update:
TEE-TXT: Chipset Key Hash 0x4a85de53d8f0789c116ab8721c76472fd7aac184a9664a16112d1cb74f14e392
TEE-TXT: DIDVID 0xb0088086
TEE-TXT: production fused chipset: true
TEE-TXT: Validate TEE...
TEE-TXT: CPU supports SMX: true
TEE-TXT: CPU supports VMX: true
TEE-TXT: IA32_FEATURE_CONTROL
 VMXON in SMX enable: true
 VMXON outside SMX enable: true
 register is locked: true
 GETSEC (all instructions) is enabled: true
TEE-TXT: GETSEC[CAPABILITIES] returned:
 TXT capable chipset:  true
 ENTERACCS available:  true
 EXITAC available:     true
 SENTER available:     true
 SEXIT available:      true
 PARAMETERS available: true
TEE-TXT: Machine Check Register: preserved

This was with the SACM of the Gigabyte C248-WU4 board (which has TXT support) and enabled TXT bit.
So, it claimed to have measured the IBB, but did not put the measurement into PCR-0 yet. If the TXT-STS: BIOS is not trusted is fixed, that might be different.

@miczyg1
Copy link
Contributor

miczyg1 commented Sep 5, 2023

@ansiwen I believe we cannot get over this one:

Client TXT BIOS ACMs are not SACMs, thus the CPU does not run it, despite it is present in FIT. Server TXT ACMs are SACMs and are run at reset vector and those MEASURE IBB.

The CPU simply won't load the TXT BIOS ACM if it is not SACM

@ansiwen
Copy link

ansiwen commented Sep 5, 2023

@miczyg1
Copy link
Contributor

miczyg1 commented Sep 5, 2023

A TXT SACM for the C62X chipset can be found in this firmware: https://www.intel.de/content/www/de/de/download/18911/intel-server-board-s2600wf-family-bios-and-firmware-update-package-for-uefi.html

Despite that, ACMs have a Processor ID list (see https://cdrdv2.intel.com/v1/dl/getContent/315168 Table 13 and Table 14), which will prevent loading the ACM on arbitrary processors, like non-server ones in case of the ACM you are talking about.

@ansiwen
Copy link

ansiwen commented Sep 5, 2023

@ansiwen I believe we cannot get over this one:

Client TXT BIOS ACMs are not SACMs, thus the CPU does not run it, despite it is present in FIT. Server TXT ACMs are SACMs and are run at reset vector and those MEASURE IBB.

The CPU simply won't load the TXT BIOS ACM if it is not SACM

@miczyg1 Sure, but the BtG SACM seems to have some TXT support, because it reacts to the TXT bit, and the Gigabyte board officially has TXT support in the BIOS settings. And I wonder what would happen if this TXT support would be successfully enabled.

@ansiwen
Copy link

ansiwen commented Sep 5, 2023

A TXT SACM for the C62X chipset can be found in this firmware: https://www.intel.de/content/www/de/de/download/18911/intel-server-board-s2600wf-family-bios-and-firmware-update-package-for-uefi.html

Despite that, ACMs have a Processor ID list (see https://cdrdv2.intel.com/v1/dl/getContent/315168 Table 13 and Table 14), which will prevent loading the ACM on arbitrary processors, like non-server ones in case of the ACM you are talking about.

Sure, I just wanted to share the find, in case someone has a compatible chipset.

@miczyg1
Copy link
Contributor

miczyg1 commented Sep 6, 2023

@ansiwen I believe we cannot get over this one:

Client TXT BIOS ACMs are not SACMs, thus the CPU does not run it, despite it is present in FIT. Server TXT ACMs are SACMs and are run at reset vector and those MEASURE IBB.

The CPU simply won't load the TXT BIOS ACM if it is not SACM

@miczyg1 Sure, but the BtG SACM seems to have some TXT support, because it reacts to the TXT bit, and the Gigabyte board officially has TXT support in the BIOS settings. And I wonder what would happen if this TXT support would be successfully enabled.

That is yet another path maybe worth exploring. That said, you will need both ACMs in such case:

  1. BtG SACM in CBFS and FIT
  2. TXT BIOS ACM in CBFS only (it should not go to FIT on client systems)

And see what happens

@miczyg1
Copy link
Contributor

miczyg1 commented Sep 6, 2023

A TXT SACM for the C62X chipset can be found in this firmware: https://www.intel.de/content/www/de/de/download/18911/intel-server-board-s2600wf-family-bios-and-firmware-update-package-for-uefi.html

Despite that, ACMs have a Processor ID list (see https://cdrdv2.intel.com/v1/dl/getContent/315168 Table 13 and Table 14), which will prevent loading the ACM on arbitrary processors, like non-server ones in case of the ACM you are talking about.

Sure, I just wanted to share the find, in case someone has a compatible chipset.

Compatible chipset AND CPU :)

@tlaurion
Copy link
Collaborator Author

So if I get this all well, the only way around this is to forget about IBB measured bootblock and go trenchboot's way, enabling drtm with acm blobs from ivy bridge and up and go integrate trenchboot so that SLCM will be responsible to verify that the bootblock matches checksum inside of cbfs whenever requested up to whatever is desired to be measured?

From what I'm reading above, SRTM with SACM measuring bootblock as part of IBB is reserved to server platforms only and cannot be generalized.

Per prior work, Haswell and previous board configs under Heads have "platform locking" prepared by coreboot and enabled prior of final kexec call, locking write access to SPI from OS as of today. I'm still wrapping my head around how different drtm would prevent tampering of both bootblock and bootblock hash in cbfs but it seems that energy invested should go in that direction which should continue under an Heads specific trenchboot integration issue.

@miczyg1 thoughts/corrections?

@miczyg1
Copy link
Contributor

miczyg1 commented Sep 12, 2023

go integrate trenchboot so that SLCM will be responsible to verify that the bootblock matches checksum inside of cbfs whenever requested up to whatever is desired to be measured?

Not sure what SLCM is. There is no point in verifying bootblock in CBFS against its checksum in CBFS, both things can be replaced to malicious content.

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 1, 2024

go integrate trenchboot so that SLCM will be responsible to verify that the bootblock matches checksum inside of cbfs whenever requested up to whatever is desired to be measured?

Not sure what SLCM is. There is no point in verifying bootblock in CBFS against its checksum in CBFS, both things can be replaced to malicious content.

@miczyg1 I meant SACM/ACM, typo.

What I meant, again, is that if sinit+ACM blobs permits to add bootblock under IBB under FIT, it should be possible to have CPU RoT withtout bootguard, otherwise i'm still missing something I would love to understand once and for all.

Another issue was created under system76/firmware-open#396 with similar concepts implied.
As per this issue, it would be nice to know from which chipset+cpu implements this correctly, and have coreboot upstream doc completed and or refer on attempts to resolve what is missing to go there?

I asked about this in both general and random dasharo channels and crosslinked the posts:

From https://doc.coreboot.org/security/vboot/measured_boot.html#known-limitations

At the moment measuring IBB dynamically and FMAP partitions are not possible but will be added later to the implementation.

Also SoCs making use of VBOOT_RETURN_FROM_VERSTAGE are not able to use the measured boot extension because of platform constraints.

While https://doc.coreboot.org/security/intel/txt_ibb.html

Seems pretty complete, just unsure if coreboot permits to configure IBB from kconfig options directly.

What is currently missing from coreboot side? Which platforms and CPU families are the lowest requirements to implement TXT with sinit+acm to measure bootblock as part of IBB with CPU anchored RoT?

@tlaurion
Copy link
Collaborator Author

tlaurion commented Apr 2, 2024

go integrate trenchboot so that SLCM will be responsible to verify that the bootblock matches checksum inside of cbfs whenever requested up to whatever is desired to be measured?

Not sure what SLCM is. There is no point in verifying bootblock in CBFS against its checksum in CBFS, both things can be replaced to malicious content.

@miczyg1 I meant SACM/ACM, typo.

What I meant, again, is that if sinit+ACM blobs permits to add bootblock under IBB under FIT, it should be possible to have CPU RoT withtout bootguard, otherwise i'm still missing something I would love to understand once and for all.

Another issue was created under system76/firmware-open#396 with similar concepts implied. As per this issue, it would be nice to know from which chipset+cpu implements this correctly, and have coreboot upstream doc completed and or refer on attempts to resolve what is missing to go there?

I asked about this in both general and random dasharo channels and crosslinked the posts:

From https://doc.coreboot.org/security/vboot/measured_boot.html#known-limitations

At the moment measuring IBB dynamically and FMAP partitions are not possible but will be added later to the implementation.

Also SoCs making use of VBOOT_RETURN_FROM_VERSTAGE are not able to use the measured boot extension because of platform constraints.

While https://doc.coreboot.org/security/intel/txt_ibb.html
Seems pretty complete, just unsure if coreboot permits to configure IBB from kconfig options directly.
What is currently missing from coreboot side? Which platforms and CPU families are the lowest requirements to implement TXT with sinit+acm to measure bootblock as part of IBB with CPU anchored RoT?

Answered at https://matrix.to/#/!rsKWMJGPMsyPTTjXuh:matrix.org/$BrErJTOamhiyDOIsXDPUSRAObTPrsEt4EFSMz97qxwU?via=matrix.org&via=nitro.chat&via=invisiblethingslab.com by @miczyg1

Use ARK: https://ark.intel.com/content/www/us/en/ark.html to determine if CPU supports TXT if you are interested particularly about TXT.

If you are interested in the PCR0 measurement at reset, forget about TXT, it only limits your potential choices. Since 11th generation BootGuard and TXT has been merged into one, and in order to enable TXT, one needs to set up the manifests properly, like it would be BootGuard. So better set up Boot Guard profile 3 (Verification + Measurement with unlimited recovery time on failure) and prepare manifests with the IBB you want to have measured. BootGuard is supported by all processors AFAIK

What is missing from coreboot? Working 9e tools for starters. Last time I wanted to build a proper coreboot with Boot Guard support, these tools kept crashing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants